[TT-16767][Global] [Implementation] Centralised Error Overrides Infrastructure (#7867)

<!-- Provide a general summary of your changes in the Title above -->

## Description
This PR introduces a centralized Error Overrides feature, allowing for
the customization of error responses at the gateway level. This
functionality enables users to standardize error formats, hide internal
error details, and provide branded or localized messages for both
gateway-generated errors (e.g., auth failures, rate limits) and upstream
service errors (e.g., 4xx/5xx responses).

The implementation is optimized for performance, featuring a near-zero
overhead path when no overrides are configured. All matching rules,
including regular expressions and inline templates, are pre-compiled at
gateway startup to ensure minimal latency during error handling.

<!-- Describe your changes in detail -->

# Error Override Performance Benchmarks

## Executive Summary

The error override feature adds **negligible performance overhead** to
the error handling path:

- **No overrides configured**: ~5 ns/op overhead (fast path with map
length check)
- **Direct message override**: ~5.8 μs/op vs ~11.1 μs/op baseline (48%
**faster** than default template)
- **With template execution**: ~7-11 μs/op (comparable to or faster than
default template rendering)

**Optimization:** The code checks if overrides exist before entering the
override path, ensuring minimal impact on existing deployments.

## Detailed Results

### 1. ApplyOverride - Matching Performance

Testing the core matching logic that determines if an override should be
applied:

```
BenchmarkApplyOverride/no_overrides_configured                        4.05 ns/op       0 B/op       0 allocs/op
BenchmarkApplyOverride/exact_code_match                               55.0 ns/op      32 B/op       1 allocs/op
BenchmarkApplyOverride/pattern_match_4xx                              66.2 ns/op      32 B/op       1 allocs/op
BenchmarkApplyOverride/regex_pattern_match                           219.8 ns/op      32 B/op       1 allocs/op
BenchmarkApplyOverride/regex_pattern_non-match                       169.8 ns/op       0 B/op       0 allocs/op
BenchmarkApplyOverride/JSON_body_field_match                         226.9 ns/op      48 B/op       2 allocs/op
BenchmarkApplyOverride/multiple_rules_-_first_match                  235.5 ns/op      32 B/op       1 allocs/op
```

**Key Findings:**
- **No configuration**: ~4 ns overhead - very low
- **Exact code match**: ~55 ns (O(1) hash map lookup)
- **Pattern match** (4xx/5xx): ~66 ns (prefix calculation + map lookup)
- **Regex matching**: ~220 ns (compiled regex)
- **JSON path matching**: ~227 ns (gjson library)

### 2. Flag-Based Matching (Error Classification)

Flag matching uses the error classification system for semantic matching
- matching by error *type* rather than text patterns:

```
BenchmarkApplyOverride/flag_match_-_exact_match                       92.9 ns/op      32 B/op       1 allocs/op
BenchmarkApplyOverride/flag_match_-_no_classification                 26.8 ns/op       0 B/op       0 allocs/op
BenchmarkApplyOverride/flag_match_-_fallback_to_regex                193.9 ns/op      32 B/op       1 allocs/op
BenchmarkApplyOverride/multiple_flag_rules_-_first_match             104.7 ns/op      32 B/op       1 allocs/op
BenchmarkApplyOverride/multiple_flag_rules_-_catch_all               110.7 ns/op      32 B/op       1 allocs/op
```

**Flag vs Regex Performance Comparison:**
```
BenchmarkApplyOverride/flag_vs_regex_-_flag                           75.1 ns/op      32 B/op       1 allocs/op
BenchmarkApplyOverride/flag_vs_regex_-_regex                         173.2 ns/op       0 B/op       0 allocs/op
```

**Key Findings:**
- **Flag matching is ~2.3x faster than regex** (75 ns vs 173 ns)
- **No classification in context**: 26.8 ns (very fast early exit)
- **Multiple flag rules**: ~105-111 ns (efficient even with multiple
rules)
- **Fallback to regex**: ~194 ns (checks flag first, then regex)
- Flag matching is a simple string comparison vs regex execution

### 3. WriteOverrideResponse vs WriteTemplateErrorResponse

Direct comparison of error response writing:

```
Response Method                                           Time         Memory    Allocs
--------------------------------------------------------------------------------------
BenchmarkWriteOverrideResponse/direct_message             5.8 μs      7312 B    31 allocs
BenchmarkWriteOverrideResponse/inline_template_JSON       9.5 μs      7745 B    49 allocs
BenchmarkWriteOverrideResponse/inline_template_XML        7.4 μs      7513 B    38 allocs
BenchmarkWriteOverrideResponse/file_template_JSON        10.2 μs      8001 B    51 allocs
BenchmarkWriteOverrideResponse/file_template_XML          7.7 μs      7769 B    40 allocs
BenchmarkWriteOverrideResponse/with_custom_headers       11.1 μs      8537 B    67 allocs

BenchmarkWriteTemplateErrorResponse/default_JSON         11.1 μs      7532 B    41 allocs
```

**Key Findings:**
- **Direct message writing**: 5.8 μs - **48% faster** than default
template (11.1 μs)
  - Best performance when no templating needed
  - Writes JSON/XML response directly
- **Inline template**: 7.4-9.5 μs - Also faster than default
  - Allows dynamic {{.StatusCode}} and {{.Message}} substitution
  - Very efficient
- **File template**: 7.7-10.2 μs - Within acceptable range
  - Reuses existing template infrastructure
  - Performance varies by template complexity

### 4. Compilation Performance

One-time cost during gateway startup or API reload:

```
BenchmarkCompileErrorOverrides/single_exact_code          0.76 μs      520 B     6 allocs
BenchmarkCompileErrorOverrides/multiple_exact_codes       1.67 μs     1000 B    14 allocs
BenchmarkCompileErrorOverrides/with_regex_patterns        0.76 μs      624 B     6 allocs
BenchmarkCompileErrorOverrides/with_inline_templates     12.23 μs     8240 B    99 allocs
BenchmarkCompileErrorOverrides/mixed_exact_and_patterns   2.01 μs     1374 B    17 allocs
```

**Key Findings:**
- Simple configurations compile in ~0.8-2 μs
- Regex compilation adds minimal overhead
- Template compilation is more expensive (~12 μs) but happens only at
startup
- All costs are one-time during configuration load

## Fast Path Optimization

Testing the entry point `tryWriteOverride` with empty vs configured
overrides:

```
BenchmarkTryWriteOverride/empty_config_-_fast_path               5.14 ns/op       0 B/op       0 allocs/op
BenchmarkTryWriteOverride/config_exists_-_match_with_direct_body 2450 ns/op    1824 B/op      22 allocs/op
```

**Key Findings:**
- The optimization checks `len(e.Spec.GlobalConfig.ErrorOverrides) == 0`
before proceeding
- When empty (no overrides configured), returns immediately without
atomic loads
- Fast path overhead: ~5 ns with zero allocations
- This is **476x faster** than processing a match (~2.5 μs)
- This is **43x faster** than a regex match (~220 ns)

## Performance Impact Analysis

### Hot Path (Every Error Response)

When **no overrides are configured** (most common case):
- Overhead: **~5 ns** per error (fast path with map length check)
- Memory: 0 bytes allocated
- **Impact: Virtually zero** - immeasurable in real-world operations

When **overrides are configured and match**:
- Best case (direct message): **48% faster** than default template
- Typical case (inline template): ~15-33% faster than default
- Worst case (file template JSON): ~10 μs (comparable to default)

### Cold Path (Gateway Startup)

Compilation happens once during:
- Gateway initialization
- API configuration reload
- Overhead: ~0.8-12 μs depending on complexity
- **Impact: Negligible** - happens infrequently

## Memory Allocation Analysis

Memory allocations per error response:

```
Operation                      Allocations    Bytes
----------------------------------------------------
No override check              0 allocs       0 B
Exact code match               1 alloc        32 B
Pattern match (4xx/5xx)        1 alloc        32 B
Flag match (exact)             1 alloc        32 B
Flag match (no classification) 0 allocs       0 B
Regex pattern match            1 alloc        32 B
Direct message write           31 allocs      7312 B
Inline template execution      49 allocs      7745 B
Default template               41 allocs      7532 B
```

**Key Findings:**
- Zero allocations when no overrides configured
- Zero allocations for flag match when no classification in context
- Minimal allocation (32B) for matching logic
- Direct message writing uses similar memory to default template
- No memory leaks or unbounded allocations

## Scalability Considerations

### Large Body Handling
```
BenchmarkApplyOverride/large_body_truncation              1.28 μs      538 B     6 allocs
```
- Large bodies (>4KB) are truncated before pattern matching
- Prevents performance degradation with large error responses
- Adds ~1.3 μs overhead only when bodies exceed 4KB

### Multiple Rules
```
BenchmarkApplyOverride/multiple_rules_-_first_match       236 ns       32 B/op   1 allocs
```
- First-match semantics ensure O(n) worst case
- In practice, most errors match within 1-2 rules
- No performance degradation with reasonable rule counts

## Conclusions

**Virtually zero overhead when disabled**: ~5 ns (fast path with map
length check) - immeasurable in production

**Optimized check path**: Early exit when no overrides configured
prevents significant overhead

**Status code matching is fast**: Both exact (~55 ns) and pattern (~66
ns) matching are very efficient

**Flag matching is ~2.3x faster than regex**: 75 ns vs 173 ns for
semantic error matching

**Faster for simple overrides**: Direct message writing is 48% faster
than default templates

**Acceptable overhead for advanced features**: Template execution adds
reasonable overhead for the flexibility gained

**Efficient matching**: O(1) lookups for exact codes, fast flag
comparison, pre-compiled regex

**No memory leaks**: Bounded allocations, pre-compiled patterns


## Recommendations

For **best performance**:
1. Use flag-based matching when possible (~2.3x faster than regex)
2. Use direct message writing (no template variables) when possible
3. Keep regex patterns simple
4. Pre-compile overrides at startup (already implemented)

For **optimal flexibility**:
1. Use flag matching for semantic error types (e.g., `RLT` for rate
limiting)
2. Use inline templates with {{.StatusCode}} and {{.Message}}
3. Use file templates for complex responses
4. Use JSON body field matching for structured upstream error responses
5. Use regex patterns as fallback when flag classification isn't
available
6. Both exact and pattern (4xx/5xx) status code matching are efficient
(~55-66 ns)

---

**Test Environment:**
- Machine: Apple M1 Pro
- Go Version: 1.25.1
- OS: macOS (darwin/arm64)
- Benchmark Duration: 3 seconds per benchmark



## Related Issue

<!-- This project only accepts pull requests related to open issues. -->
<!-- If suggesting a new feature or change, please discuss it in an
issue first. -->
<!-- If fixing a bug, there should be an issue describing it with steps
to reproduce. -->
<!-- OSS: Please link to the issue here. Tyk: please create/link the
JIRA ticket. -->

## Motivation and Context

<!-- Why is this change required? What problem does it solve? -->

## How This Has Been Tested

<!-- Please describe in detail how you tested your changes -->
<!-- Include details of your testing environment, and the tests -->
<!-- you ran to see how your change affects other areas of the code,
etc. -->
<!-- This information is helpful for reviewers and QA. -->

## Screenshots (if appropriate)

## Types of changes

<!-- What types of changes does your code introduce? Put an `x` in all
the boxes that apply: -->

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
- [ ] Refactoring or add test (improvements in base code or adds test
coverage to functionality)

## Checklist

<!-- Go over all the following points, and put an `x` in all the boxes
that apply -->
<!-- If there are no documentation updates required, mark the item as
checked. -->
<!-- Raise up any additional concerns not covered by the checklist. -->

- [ ] I ensured that the documentation is up to date
- [ ] I explained why this PR updates go.mod in detail with reasoning
why it's required
- [ ] I would like a code coverage CI quality gate exception and have
explained why

















<!---TykTechnologies/jira-linter starts here-->

### Ticket Details

<details>
<summary>
<a href="https://tyktech.atlassian.net/browse/TT-16767" title="TT-16767"
target="_blank">TT-16767</a>
</summary>

|         |    |
|---------|----|
| Status  | Ready for Testing |
| Summary | [1a] Implement Centralised Error Overrides Infrastructure |

Generated at: 2026-03-17 16:11:43

</details>

<!---TykTechnologies/jira-linter ends here-->

---------

Co-authored-by: Edson Michaque <edson@michaque.com>
Co-authored-by: andyo-tyk <99968932+andyo-tyk@users.noreply.github.com>
Co-authored-by: Vlad Zabolotnyi <109525963+vladzabolotnyi@users.noreply.github.com>
Co-authored-by: Vlad Zabolotnyi <vlad.z@tyk.io>
Co-authored-by: Leonid Bugaev <leonsbox@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: andrei-tyk <97896463+andrei-tyk@users.noreply.github.com>
Co-authored-by: Laurentiu <6229829+lghiur@users.noreply.github.com>
Co-authored-by: Burak Sezer <burak.sezer.developer@gmail.com>

Author: 10 people

apidef/api_definitions.go

@@ -792,6 +792,10 @@ type APIDefinition struct {
 	// SecurityRequirements stores all OAS security requirements (auto-populated from OpenAPI description import)
 	// When len(SecurityRequirements) > 1, OR logic is automatically applied
 	SecurityRequirements [][]string `json:"security_requirements,omitempty" bson:"security_requirements,omitempty"`
+
+	// ErrorOverrides contains the configurations for error response customization.
+	ErrorOverrides         ErrorOverridesMap `bson:"error_overrides" json:"error_overrides"`
+	ErrorOverridesDisabled bool              `bson:"error_overrides_disabled" json:"error_overrides_disabled" `
 }
 
 type JWK struct {
@@ -1601,6 +1605,26 @@ func DummyAPI() APIDefinition {
 		},
 	}
 
+	errorOverrides := ErrorOverridesMap{
+		"400": []ErrorOverride{
+			{
+				Match: &ErrorMatcher{
+					Flag:           "RLT",
+					MessagePattern: ".*",
+					BodyField:      "error",
+					BodyValue:      "invalid",
+				},
+				Response: ErrorResponse{
+					StatusCode: 400,
+					Body:       "Bad Request",
+					Message:    "Error",
+					Template:   "error",
+					Headers:    map[string]string{"X-Error": "true"},
+				},
+			},
+		},
+	}
+
 	return APIDefinition{
 		VersionData:          versionData,
 		ConfigData:           map[string]interface{}{},
@@ -1632,9 +1656,10 @@ func DummyAPI() APIDefinition {
 		Proxy: ProxyConfig{
 			DisableStripSlash: true,
 		},
-		CORS:    defaultCORSConfig,
-		Tags:    []string{},
-		GraphQL: graphql,
+		CORS:           defaultCORSConfig,
+		Tags:           []string{},
+		GraphQL:        graphql,
+		ErrorOverrides: errorOverrides,
 	}
 }
 

apidef/api_definitions_test.go

@@ -7,7 +7,9 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
+	"github.com/TykTechnologies/tyk/internal/errors"
 	"github.com/TykTechnologies/tyk/internal/service/gojsonschema"
 )
 
@@ -718,6 +720,258 @@ func TestAPIDefinition_IsBaseAPI(t *testing.T) {
 	}
 }
 
+func TestAPIDefinition_ErrorOverrides_UnmarshalJSON(t *testing.T) {
+	t.Run("basic error override", func(t *testing.T) {
+		jsonData := []byte(`{
+		  "name": "Test API Override Upstream",
+		  "api_id": "test-api-override-upstream",
+		  "org_id": "default",
+		  "use_keyless": true,
+		  "error_overrides_disabled": false,
+		  "error_overrides": {
+			"404": [
+			  {
+				"response": {
+				  "status_code": 420,
+				  "body": "{\"error\": \"api_level_upstream\", \"status\": 404}",
+				  "headers": {
+					"X-Error-Flag": "UPSTREAM-API",
+					"X-Override-Applied": "true"
+				  }
+				}
+			  }
+			]
+		  }
+	    }`)
+
+		var api APIDefinition
+		err := json.Unmarshal(jsonData, &api)
+		require.NoError(t, err)
+
+		require.NotNil(t, api.ErrorOverrides)
+		require.Len(t, api.ErrorOverrides["404"], 1)
+		assert.Equal(t, 420, api.ErrorOverrides["404"][0].Response.StatusCode)
+		assert.False(t, api.ErrorOverridesDisabled)
+	})
+
+	t.Run("complete error override with all fields", func(t *testing.T) {
+		jsonData := []byte(`{
+		  "name": "Test API Complete Override",
+		  "api_id": "test-api-complete-override",
+		  "org_id": "default",
+		  "use_keyless": true,
+		  "error_overrides_disabled": false,
+		  "error_overrides": {
+			"500": [
+			  {
+				"match": {
+				  "flag": "TLE",
+				  "message_pattern": "timeout.*error",
+				  "body_field": "error.type",
+				  "body_value": "timeout"
+				},
+				"response": {
+				  "status_code": 503,
+				  "body": "{\"error\": \"Certificate expired\", \"retry_after\": 30}",
+				  "message": "Custom timeout error message",
+				  "template": "error_template.html",
+				  "headers": {
+					"X-Custom-Error": "TIMEOUT",
+					"Retry-After": "30",
+					"Content-Type": "application/json"
+				  }
+				}
+			  }
+			],
+			"401": [
+			  {
+				"match": {
+				  "flag": "TLI",
+				  "body_field": "error.code",
+				  "body_value": "INVALID_TOKEN"
+				},
+				"response": {
+				  "status_code": 401,
+				  "body": "{\"error\": \"Certificate invalid\"}",
+				  "message": "Token validation failed",
+				  "headers": {
+					"WWW-Authenticate": "Bearer",
+					"X-Auth-Error": "true"
+				  }
+				}
+			  }
+			]
+		  }
+	    }`)
+
+		var api APIDefinition
+		err := json.Unmarshal(jsonData, &api)
+		require.NoError(t, err)
+
+		require.NotNil(t, api.ErrorOverrides)
+		require.False(t, api.ErrorOverridesDisabled)
+		require.Len(t, api.ErrorOverrides, 2)
+
+		require.Len(t, api.ErrorOverrides["500"], 1)
+		override500 := api.ErrorOverrides["500"][0]
+
+		require.NotNil(t, override500.Match)
+		assert.Equal(t, errors.TLE, override500.Match.Flag)
+		assert.Equal(t, "timeout.*error", override500.Match.MessagePattern)
+		assert.Equal(t, "error.type", override500.Match.BodyField)
+		assert.Equal(t, "timeout", override500.Match.BodyValue)
+
+		assert.Equal(t, 503, override500.Response.StatusCode)
+		assert.Equal(t, "{\"error\": \"Certificate expired\", \"retry_after\": 30}", override500.Response.Body)
+		assert.Equal(t, "Custom timeout error message", override500.Response.Message)
+		assert.Equal(t, "error_template.html", override500.Response.Template)
+		require.Len(t, override500.Response.Headers, 3)
+		assert.Equal(t, "TIMEOUT", override500.Response.Headers["X-Custom-Error"])
+		assert.Equal(t, "30", override500.Response.Headers["Retry-After"])
+		assert.Equal(t, "application/json", override500.Response.Headers["Content-Type"])
+
+		require.Len(t, api.ErrorOverrides["401"], 1)
+		override401 := api.ErrorOverrides["401"][0]
+
+		require.NotNil(t, override401.Match)
+		assert.Equal(t, errors.TLI, override401.Match.Flag)
+		assert.Equal(t, "", override401.Match.MessagePattern)
+		assert.Equal(t, "error.code", override401.Match.BodyField)
+		assert.Equal(t, "INVALID_TOKEN", override401.Match.BodyValue)
+
+		assert.Equal(t, 401, override401.Response.StatusCode)
+		assert.Equal(t, "{\"error\": \"Certificate invalid\"}", override401.Response.Body)
+		assert.Equal(t, "Token validation failed", override401.Response.Message)
+		assert.Equal(t, "", override401.Response.Template)
+		require.Len(t, override401.Response.Headers, 2)
+		assert.Equal(t, "Bearer", override401.Response.Headers["WWW-Authenticate"])
+		assert.Equal(t, "true", override401.Response.Headers["X-Auth-Error"])
+	})
+
+	t.Run("multiple overrides for same status code", func(t *testing.T) {
+		jsonData := []byte(`{
+		  "name": "Test API Multiple Overrides",
+		  "api_id": "test-api-multiple-overrides",
+		  "org_id": "default",
+		  "use_keyless": true,
+		  "error_overrides_disabled": true,
+		  "error_overrides": {
+			"400": [
+			  {
+				"match": {
+				  "body_field": "error.type",
+				  "body_value": "validation"
+				},
+				"response": {
+				  "status_code": 422,
+				  "body": "{\"error\": \"Validation failed\"}"
+				}
+			  },
+			  {
+				"match": {
+				  "body_field": "error.type",
+				  "body_value": "malformed"
+				},
+				"response": {
+				  "status_code": 400,
+				  "body": "{\"error\": \"Malformed request\"}"
+				}
+			  }
+			]
+		  }
+	    }`)
+
+		var api APIDefinition
+		err := json.Unmarshal(jsonData, &api)
+		require.NoError(t, err)
+
+		require.NotNil(t, api.ErrorOverrides)
+		require.True(t, api.ErrorOverridesDisabled)
+		require.Len(t, api.ErrorOverrides["400"], 2)
+
+		assert.Equal(t, "validation", api.ErrorOverrides["400"][0].Match.BodyValue)
+		assert.Equal(t, 422, api.ErrorOverrides["400"][0].Response.StatusCode)
+
+		assert.Equal(t, "malformed", api.ErrorOverrides["400"][1].Match.BodyValue)
+		assert.Equal(t, 400, api.ErrorOverrides["400"][1].Response.StatusCode)
+	})
+
+	t.Run("override without match criteria", func(t *testing.T) {
+		jsonData := []byte(`{
+		  "name": "Test API No Match Override",
+		  "api_id": "test-api-no-match-override",
+		  "org_id": "default",
+		  "use_keyless": true,
+		  "error_overrides_disabled": false,
+		  "error_overrides": {
+			"502": [
+			  {
+				"response": {
+				  "status_code": 503,
+				  "body": "{\"error\": \"Service unavailable\"}",
+				  "message": "Upstream service is down",
+				  "template": "maintenance.html",
+				  "headers": {
+					"X-Maintenance": "true"
+				  }
+				}
+			  }
+			]
+		  }
+	    }`)
+
+		var api APIDefinition
+		err := json.Unmarshal(jsonData, &api)
+		require.NoError(t, err)
+
+		require.NotNil(t, api.ErrorOverrides)
+		require.False(t, api.ErrorOverridesDisabled)
+		require.Len(t, api.ErrorOverrides["502"], 1)
+
+		override := api.ErrorOverrides["502"][0]
+		assert.Nil(t, override.Match)
+		assert.Equal(t, 503, override.Response.StatusCode)
+		assert.Equal(t, "{\"error\": \"Service unavailable\"}", override.Response.Body)
+		assert.Equal(t, "Upstream service is down", override.Response.Message)
+		assert.Equal(t, "maintenance.html", override.Response.Template)
+		assert.Equal(t, "true", override.Response.Headers["X-Maintenance"])
+	})
+
+	t.Run("empty error overrides", func(t *testing.T) {
+		jsonData := []byte(`{
+		  "name": "Test API Empty Overrides",
+		  "api_id": "test-api-empty-overrides",
+		  "org_id": "default",
+		  "use_keyless": true,
+		  "error_overrides": {}
+	    }`)
+
+		var api APIDefinition
+		err := json.Unmarshal(jsonData, &api)
+		require.NoError(t, err)
+
+		require.NotNil(t, api.ErrorOverrides)
+		require.False(t, api.ErrorOverridesDisabled)
+		assert.Len(t, api.ErrorOverrides, 0)
+	})
+
+	t.Run("nil error overrides", func(t *testing.T) {
+		jsonData := []byte(`{
+		  "name": "Test API Nil Overrides",
+		  "api_id": "test-api-nil-overrides",
+		  "org_id": "default",
+		  "use_keyless": true
+	    }`)
+
+		var api APIDefinition
+		err := json.Unmarshal(jsonData, &api)
+		require.NoError(t, err)
+
+		assert.Nil(t, api.ErrorOverrides)
+		require.False(t, api.ErrorOverridesDisabled)
+	})
+}
+
 func TestAPIDefinition_IsBaseAPIWithVersioning(t *testing.T) {
 	tests := []struct {
 		name     string